MAGETWO-16192: Security: Clickjacking solution - introduce X-Frame-Options

Dale Sikkema · Dale Sikkema · commit f831931213b8 · 2015-06-17T10:14:54.000-05:00
- use plugin to send xFrameOptions header when response is sent
 - get inject header value into plugin via DI argument injection
 - setup a config field in env.php to contain non-backend header values
diff --git a/.htaccess b/.htaccess
@@ -65,13 +65,6 @@
     SecFilterScanPOST Off
 </IfModule>
 
-<IfModule mod_headers.c>
-############################################
-## prevent clickjacking
-
-    Header set X-Frame-Options SAMEORIGIN
-</IfModule>
-
 <IfModule mod_deflate.c>
 
 ############################################
@@ -187,4 +180,4 @@
 ## If running in cluster environment, uncomment this
 ## http://developer.yahoo.com/performance/rules.html#etags
 
-    #FileETag none
+    #FileETag none
diff --git a/app/code/Magento/Backend/etc/adminhtml/di.xml b/app/code/Magento/Backend/etc/adminhtml/di.xml
@@ -122,4 +122,9 @@
             </argument>
         </arguments>
     </type>
+    <type name="Magento\Framework\App\Response\XFrameOptPlugin">
+        <arguments>
+            <argument name="xFrameOpt" xsi:type="const">Magento\Framework\App\Response\XFrameOptPlugin::BACKEND_X_FRAME_OPT</argument>
+        </arguments>
+    </type>
 </config>
diff --git a/app/code/Magento/Store/etc/di.xml b/app/code/Magento/Store/etc/di.xml
@@ -296,4 +296,8 @@
             </argument>
         </arguments>
     </type>
+    <type name="Magento\Framework\App\Response\Http">
+        <plugin name="xFrameOptionsHeader" type="Magento\Framework\App\Response\XFrameOptPlugin"/>
+    </type>
+
 </config>
diff --git a/app/etc/di.xml b/app/etc/di.xml
@@ -134,6 +134,11 @@
     <preference for="Magento\Framework\Api\ImageContentValidatorInterface" type="Magento\Framework\Api\ImageContentValidator" />
     <preference for="Magento\Framework\Api\ImageProcessorInterface" type="Magento\Framework\Api\ImageProcessor" />
     <preference for="Magento\Framework\Code\Reader\ClassReaderInterface" type="Magento\Framework\Code\Reader\ClassReader" />
+    <type name="Magento\Framework\App\Response\XFrameOptPlugin">
+        <arguments>
+                <argument name="xFrameOpt" xsi:type="init_parameter">Magento\Framework\App\Response\XFrameOptPlugin::DEPLOYMENT_CONFIG_X_FRAME_OPT</argument>
+        </arguments>
+    </type>
     <type name="Magento\Framework\Model\Resource\Db\TransactionManager" shared="false" />
     <type name="Magento\Framework\Logger\Handler\Base">
         <arguments>
diff --git a/lib/internal/Magento/Framework/App/Response/Http.php b/lib/internal/Magento/Framework/App/Response/Http.php
@@ -21,6 +21,9 @@ class Http extends \Magento\Framework\HTTP\PhpEnvironment\Response
     /** Format for expiration timestamp headers */
     const EXPIRATION_TIMESTAMP_FORMAT = 'D, d M Y H:i:s T';
 
+    /** X-FRAME-OPTIONS Header name */
+    const HEADER_X_FRAME_OPT = 'X-Frame-Options';
+
     /** @var \Magento\Framework\Stdlib\CookieManagerInterface */
     protected $cookieManager;
 
@@ -51,6 +54,18 @@ public function __construct(
         $this->dateTime = $dateTime;
     }
 
+    /**
+     * Sends the X-FRAME-OPTIONS header to protect against click-jacking
+     *
+     * @param string $value
+     * @return void
+     * @codeCoverageIgnore
+     */
+    public function setXFrameOptions($value)
+    {
+        $this->setHeader(self::HEADER_X_FRAME_OPT, $value);
+    }
+
     /**
      * Send Vary cookie
      *
@@ -109,6 +124,7 @@ public function setPrivateHeaders($ttl)
      * Set headers for no-cache responses
      *
      * @return void
+     * @codeCoverageIgnore
      */
     public function setNoCacheHeaders()
     {
@@ -122,6 +138,7 @@ public function setNoCacheHeaders()
      *
      * @param string $content String in JSON format
      * @return \Magento\Framework\App\Response\Http
+     * @codeCoverageIgnore
      */
     public function representJson($content)
     {
@@ -131,6 +148,7 @@ public function representJson($content)
 
     /**
      * @return string[]
+     * @codeCoverageIgnore
      */
     public function __sleep()
     {
@@ -141,6 +159,7 @@ public function __sleep()
      * Need to reconstruct dependencies when being de-serialized.
      *
      * @return void
+     * @codeCoverageIgnore
      */
     public function __wakeup()
     {
@@ -154,6 +173,7 @@ public function __wakeup()
      *
      * @param string $time
      * @return string
+     * @codeCoverageIgnore
      */
     protected function getExpirationHeader($time)
     {
diff --git a/lib/internal/Magento/Framework/App/Response/XFrameOptPlugin.php b/lib/internal/Magento/Framework/App/Response/XFrameOptPlugin.php
@@ -0,0 +1,43 @@
+<?php
+/***
+ * Copyright © 2015 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+namespace Magento\Framework\App\Response;
+
+/**
+ * Adds an X-FRAME-OPTIONS header to HTTP responses to safeguard against click-jacking.
+ * @codeCoverageIgnore
+ */
+class XFrameOptPlugin
+{
+    /** Deployment config key for frontend x-frame-options header value */
+    const DEPLOYMENT_CONFIG_X_FRAME_OPT = 'x-frame-options';
+
+    /** Always send DENY in backend x-frame-options header */
+    const BACKEND_X_FRAME_OPT = 'DENY';
+
+    /**
+     *The header value
+     * @var string
+     */
+    private $xFrameOpt;
+
+    /**
+     * @param string $xFrameOpt
+     */
+    public function __construct($xFrameOpt)
+    {
+        $this->xFrameOpt = $xFrameOpt;
+    }
+
+    /**
+     * @param \Magento\Framework\App\Response\Http $subject
+     * @return void
+     */
+    public function beforeSendResponse(\Magento\Framework\App\Response\Http $subject)
+    {
+        $subject->setXFrameOptions($this->xFrameOpt);
+    }
+}
diff --git a/lib/internal/Magento/Framework/Config/ConfigOptionsListConstants.php b/lib/internal/Magento/Framework/Config/ConfigOptionsListConstants.php
@@ -22,6 +22,7 @@ class ConfigOptionsListConstants
     const CONFIG_PATH_DB_CONNECTION_DEFAULT = 'db/connection/default';
     const CONFIG_PATH_DB_CONNECTIONS = 'db/connection';
     const CONFIG_PATH_DB_PREFIX = 'db/table_prefix';
+    const CONFIG_PATH_X_FRAME_OPT = 'x-frame-options';
     /**#@-*/
 
     /**#@+
@@ -67,7 +68,7 @@ class ConfigOptionsListConstants
     const KEY_INIT_STATEMENTS = 'initStatements';
     const KEY_ACTIVE = 'active';
     /**#@-*/
-    
+
     /**
      * Db config key
      */
diff --git a/setup/src/Magento/Setup/Model/ConfigGenerator.php b/setup/src/Magento/Setup/Model/ConfigGenerator.php
@@ -210,4 +210,18 @@ public function createResourceConfig()
 
         return $configData;
     }
+
+    /**
+     * Creates x-frame-options header config data
+     *
+     * @return ConfigData
+     */
+    public function createXFrameConfig()
+    {
+        $configData = new ConfigData(ConfigFilePool::APP_ENV);
+        if ($this->deploymentConfig->get(ConfigOptionsListConstants::CONFIG_PATH_X_FRAME_OPT) === null) {
+            $configData->set(ConfigOptionsListConstants::CONFIG_PATH_X_FRAME_OPT, 'DENY');
+        }
+        return $configData;
+    }
 }
diff --git a/setup/src/Magento/Setup/Model/ConfigOptionsList.php b/setup/src/Magento/Setup/Model/ConfigOptionsList.php
@@ -158,6 +158,7 @@ public function createConfig(array $data, DeploymentConfig $deploymentConfig)
         }
         $configData[] = $this->configGenerator->createDbConfig($data);
         $configData[] = $this->configGenerator->createResourceConfig();
+        $configData[] = $this->configGenerator->createXFrameConfig();
         return $configData;
     }
 
diff --git a/setup/src/Magento/Setup/Test/Unit/Model/ConfigGeneratorTest.php b/setup/src/Magento/Setup/Test/Unit/Model/ConfigGeneratorTest.php
@@ -0,0 +1,41 @@
+<?php
+/***
+ * Copyright © 2015 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+namespace Magento\Setup\Test\Unit\Model;
+
+
+use Magento\Framework\Config\ConfigOptionsListConstants;
+
+class ConfigGeneratorTest extends \PHPUnit_Framework_TestCase
+{
+    /** @var  \Magento\Framework\App\DeploymentConfig | \PHPUnit_Framework_MockObject_MockObject */
+    private $deploymentConfigMock;
+    /** @var  \Magento\Setup\Model\ConfigGenerator | \PHPUnit_Framework_MockObject_MockObject */
+    private $model;
+
+    public function setUp()
+    {
+        $objectManager = new \Magento\Framework\TestFramework\Unit\Helper\ObjectManager($this);
+
+        $this->deploymentConfigMock = $this->getMockBuilder('Magento\Framework\App\DeploymentConfig')
+            ->disableOriginalConstructor()
+            ->getMock();
+        $this->model = $objectManager->getObject(
+            'Magento\Setup\Model\ConfigGenerator',
+            ['deploymentConfig' => $this->deploymentConfigMock]
+        );
+    }
+
+    public function testCreateXFrameConfig()
+    {
+        $this->deploymentConfigMock->expects($this->atLeastOnce())
+            ->method('get')
+            ->with(ConfigOptionsListConstants::CONFIG_PATH_X_FRAME_OPT)
+            ->willReturn(null);
+        $configData = $this->model->createXFrameConfig();
+        $this->assertSame('DENY', $configData->getData()[ConfigOptionsListConstants::CONFIG_PATH_X_FRAME_OPT]);
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -21,6 +21,9 @@ class Http extends \Magento\Framework\HTTP\PhpEnvironment\Response`
`21`	`21`	`/** Format for expiration timestamp headers */`
`22`	`22`	`const EXPIRATION_TIMESTAMP_FORMAT = 'D, d M Y H:i:s T';`
`23`	`23`
	`24`	`+ /** X-FRAME-OPTIONS Header name */`
	`25`	`+ const HEADER_X_FRAME_OPT = 'X-Frame-Options';`
	`26`	`+`
`24`	`27`	`/** @var \Magento\Framework\Stdlib\CookieManagerInterface */`
`25`	`28`	`protected $cookieManager;`
`26`	`29`
`@@ -51,6 +54,18 @@ public function __construct(`
`51`	`54`	`$this->dateTime = $dateTime;`
`52`	`55`	`}`
`53`	`56`
	`57`	`+ /**`
	`58`	`+ * Sends the X-FRAME-OPTIONS header to protect against click-jacking`
	`59`	`+ *`
	`60`	`+ * @param string $value`
	`61`	`+ * @return void`
	`62`	`+ * @codeCoverageIgnore`
	`63`	`+ */`
	`64`	`+ public function setXFrameOptions($value)`
	`65`	`+ {`
	`66`	`+ $this->setHeader(self::HEADER_X_FRAME_OPT, $value);`
	`67`	`+ }`
	`68`	`+`
`54`	`69`	`/**`
`55`	`70`	`* Send Vary cookie`
`56`	`71`	`*`
`@@ -109,6 +124,7 @@ public function setPrivateHeaders($ttl)`
`109`	`124`	`* Set headers for no-cache responses`
`110`	`125`	`*`
`111`	`126`	`* @return void`
	`127`	`+ * @codeCoverageIgnore`
`112`	`128`	`*/`
`113`	`129`	`public function setNoCacheHeaders()`
`114`	`130`	`{`
`@@ -122,6 +138,7 @@ public function setNoCacheHeaders()`
`122`	`138`	`*`
`123`	`139`	`* @param string $content String in JSON format`
`124`	`140`	`* @return \Magento\Framework\App\Response\Http`
	`141`	`+ * @codeCoverageIgnore`
`125`	`142`	`*/`
`126`	`143`	`public function representJson($content)`
`127`	`144`	`{`
`@@ -131,6 +148,7 @@ public function representJson($content)`
`131`	`148`
`132`	`149`	`/**`
`133`	`150`	`* @return string[]`
	`151`	`+ * @codeCoverageIgnore`
`134`	`152`	`*/`
`135`	`153`	`public function __sleep()`
`136`	`154`	`{`
`@@ -141,6 +159,7 @@ public function __sleep()`
`141`	`159`	`* Need to reconstruct dependencies when being de-serialized.`
`142`	`160`	`*`
`143`	`161`	`* @return void`
	`162`	`+ * @codeCoverageIgnore`
`144`	`163`	`*/`
`145`	`164`	`public function __wakeup()`
`146`	`165`	`{`
`@@ -154,6 +173,7 @@ public function __wakeup()`
`154`	`173`	`*`
`155`	`174`	`* @param string $time`
`156`	`175`	`* @return string`
	`176`	`+ * @codeCoverageIgnore`
`157`	`177`	`*/`
`158`	`178`	`protected function getExpirationHeader($time)`
`159`	`179`	`{`
Original file line number	Diff line number	Diff line change
`@@ -158,6 +158,7 @@ public function createConfig(array $data, DeploymentConfig $deploymentConfig)`
`158`	`158`	`}`
`159`	`159`	`$configData[] = $this->configGenerator->createDbConfig($data);`
`160`	`160`	`$configData[] = $this->configGenerator->createResourceConfig();`
	`161`	`+ $configData[] = $this->configGenerator->createXFrameConfig();`
`161`	`162`	`return $configData;`
`162`	`163`	`}`
`163`	`164`